8.06.26

Passkeys – What You Need to Know

The National Cyber Security Centre (NCSC) recommends users opt for passkeys over passwords wherever they are available. Passkeys are a more secure alternative to passwords that you don’t need to remember as they are created and managed safely by the software on your device(s). 

The digital industry is moving rapidly towards offering “passwordless” authentication for logging into online services and accounts, and many major platforms already support it.

The NCSC supports the public adoption of passkeys and recommends using passkeys over passwords wherever available.

Why passkeys are better than passwords

Passkeys are a better alternative for the following reasons:

• 1 – They are more secure
  • The key reason for this is that passkeys are resistant to phishing, as they can’t be intercepted, reused or stolen like passwords. This removes one of the most common ways accounts are compromised.
  • They’re user-friendly. Before authorising use of the passkey, your device checks that it’s you by whatever means you already use to unlock that device, for example Face ID, fingerprint or PIN.
  • The NCSC technical paper comparing the security of traditional multi-factor authentication (MFA) – also known as two-step verification (2SV) – with passkeys, demonstrates that passkeys are always as secure or more secure than 2SV using the strongest password.
• 2 – They are fast and convenient
  • Passkey logins are up to 8 times faster than signing in with username, password and 2SV code.
  • You don’t need to remember anything. The password manager on your device – more accurately called a ‘credential manager’ as it manages more than just passwords – creates and keeps the private key safe and synchronised across your devices.
• 3 – They offer greater resilience
  • There is substantial evidence of malicious cyber actors taking advantage of password authentication via effective phishing and spear-phishing attacks – from cyber criminals and hacktivists to nation-state actors linked to China, North Korea, Russia and Iran. But implementing and adopting passkeys reduces the effectiveness of this activity. When combined with keeping your devices and apps up to date, passkeys significantly reduce the likelihood of phishing attacks, making this common technique far less effective for cyber criminals and nation-state actors. This means the more UK citizens choose to adopt passkeys, the greater our national resilience to phishing attacks.

How do I use a passkey

Passkeys are created, saved, stored and managed for you on your trusted device(s) – such as your smartphone, tablet or computer – by your chosen credential manager (the more accurate term for ‘password manager’). This will most likely be the default one built in to your device – such as Apple Passwords, Google Password Manager or Samsung Pass – unless you have specifically chosen to install and use a third-party one, for example, to synchronise passwords across different browsers and devices.

The credential manager:

• Makes and protects your passkeys.
• Uses the way you unlock your device to make sure that it’s you – or someone you really trust – before allowing use of a passkey.
• Makes a backup of your passkeys for safety, which means you shouldn’t completely lose access to your passkeys in the event you lose your device(s).
• Can copy (or ‘sync’) your passkeys to other devices you trust for convenience, so you don’t have to create a new one for each device you own.

Use a credential manager to start setting up a passkey:

• Where they’re offered on your existing accounts (by checking the account security or privacy settings). Look out for prompts from services encouraging you to upgrade to passkeys.
• Right from the beginning when creating a new account.

If passkeys aren’t available

Passwords have been the cornerstone of online security for decades, helping to protect our digital identities and sensitive information from unauthorised access. Users shouldn’t simply forget all their passwords or attempt to set up accounts without any form of security. 

Where passkeys are not an available option, you should continue to use strong passwords, for example generated by a password manager and enable 2SV. This remains a resilient defence against online attackers.

Contact us today for additional cyber-security guidance.

Information provided by National Cyber Security Centre with a contribution from Lisa Langley, Cert CII, Team Leader, Professional Risks, Cox Mahon Ltd.